Appendix A: Keystroke event special character notation

The keystroke.keydata field in the keystroke event represents non-alphanumeric characters and control sequences using a special notation. For example, a print screen key is represented by the string “[PRNTSCRN]”. A function key, such as F1, is represented as “[F1]”. The list below shows the notations used for various non-alphanumeric keys.

The notations for various non-alphanumeric keys.

The list below shows the notations used for various control sequences.

The notations used for various control sequences.

The rule samples below demonstrate how to match against special keys and control sequences. These rules match against various key sequences used to cut, paste, copy, and screenshot.

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata, "[WIN+SHIFT+S]");

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata,"[CTRL+C]");

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata,"[CTRL+X]");

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata,"[PRNTSCRN]");

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata, "[ALT+PRNTSCRN]");

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata, "[CTRL+V]");

screenshot (keystroke.pid, 2, 10) when stristr (keystroke.keydata,"[SHIFT+INSERT]");